Several processes need to occur in a PKI network for a deployment to function smoothly. To address these processes, this chapter covers enrollment, Certificate Expiration and Renewal, Certificate Verification and Enforcement, and PKI Resiliency.

This chapter is from the book

Understanding the basics of cryptography and the building blocks of public key infrastructures provides a foundation for exploring the core processes and practical application of PKI. These processes govern how to get a certificate, how to keep a certificate that is current, how to revoke a certificate, and how to keep a PKI up and running if an outage occurs.

Enrollment

Enrollment is the process to obtain a certificate. The two process of enrollment are manual enrollment and a network SCEP-based enrollment. Network-based SCEP is discussed later in this chapter. Simple Certificate Enrollment Protocol (SCEP) is an IETF draft, draft-nourse-scep-20. Whereas both processes follow the same principles, the procedure for implementation varies. The common events for both scenarios are as follows:

An end host generates an RSA (Rivest, Shamir and Adleman) key pair.

A certificate request containing the end host's public key is delivered to a certificate authority (CA).

The CA signs the request with the CA's private key and generates the end host's certificate.

The certificate is delivered back to the end host.

Manual Enrollment

Sometimes a network connection may not be possible or secure between an endpoint and a certificate server. In this situation a non-network-based approach might be preferred. This approach requires an administrator to manually copy and paste a certificate into the local router.

Manual copy-and-paste enrollment has several steps. The high-level steps are presented here, followed by a detailed example. Example 3-1 through Example 3-6, which illustrates the execution of the following steps:

The spoke is configured to use terminal enrollment.

The certificate authority exports its certificate to the screen.

The spoke authenticates the certificate authority certificate and verifies the fingerprint.

The spoke makes an enrollment request.

The certificate authority grants the request.

The spoke certificate is pasted into the terminal.

NOTE

In the following example, the name of the sub-ca is ra, which refers to Raleigh, not RA (registration authority).

Step 1. Configure the spoke to use terminal enrollment, as illustrated in Example 3-1.

The entire process is conducted by use of terminal access. Consequently, no packet exchanges are required between the certificate authority and the end spoke.

SCEP-Based Enrollment

Adding a large number of routers in an enterprise and going through the steps for each of those would be a painful exercise for the network engineer. Consider a thousand routers. Often, engineers prefer to have a templated configuration that can be set up one time, enabling automation for subsequent certificates upon certificate expiration.

When network connections are possible between an endpoint and a certificate server, a network-based approach might be preferred because it provides the opportunity to templatize the approach, and in the future with features mentioned later, automatic addressing of certificate expiry issues. This approach is easier to implement and requires significantly less labor. Whenever possible, SCEP enrollment is the preferred solution. This approach requires minimal configuration on the router endpoints.

The use of the network-based approach has the chief benefit of improving scalability and limiting operational overhead. SCEP enables an endpoint to request a certificate or other certificate-related functions (revocation checking, and so on) remotely. SCEP runs on TCP port 80; however, it can also run on a nonstandard TCP port.

When an end device has an RSA key pair, it can make a request to the certificate authority using SCEP. That certificate request includes the public key. The CA responds with the new certificate, which is encrypted with the requestor's public key. This way, only the person making the request can decrypt it.

SCEP-based enrollment is configured in trustpoint mode. TCP port 80 is the default port used for SCEP and is configurable using the enrollment command. If a nonstandard port is used, make sure the http server configuration on the CA matches the nonstandard port. As shown in Example 3-7, the spoke is configured to use the CA or sub-CA URL for enrollment.